Right! I actually started myself out in web programming, learnt two language (not fluently tho) and more importantly, UNIX commands. Now, I got my interest in here for server security yet it looks like a totally new field for me. I failed to find some specific resources on this and I have no idea where to start. I wish someone in the community can provide me some resources or hint on how should I procceed (like making a website you need PHP, making a app need Java). Anyone can give me a kickstarter please? (maybe tools and stuffs, best with tutorials of course)

Well, since you said you were into web programming and then learned Unix commands why not try to make the transition smooth and start off with some shell scripting? Not because the languages are similar but because you are used to writing code. Now it's just for a different purpose.

Ok pentesting is quite hard to get into if your not willing to put alot of time in it eat sleep and breathe security.

You will first want to start by learning the basics of networking easiest way to learn is probably to start with getting a CCNA book. I started with CCNA 640-802 official cert libary tells you the basics. Since most servers run Cisco products its best to start there and then maybe go to junipher etc. You must learn the ins and outs of TCP/IP if you dont know any of this then your not going to get far.

Now your are going to want to either set up a 2nd pc or partition your HDD for a fresh install of Backtrack 5 the newer version is kali but it has some bugs and may be a bit difficult to install. This operating systems has a very large collection of pentesting tools use them on your own network see what they do read the readme files/ tutorials. You can run this off a live usb if you want to just visit the backtrack website. google will take you there.

I personally have 2 computers 1 with windows 7 with a windows vista vm machine and another laptop that runs kali for testing on both operating systems. I cba with windows 8 yet.

Once you get the basics pass you CCNA then get a CCNA security - these are to get your foot in the door. Maybe look up the backtracks pentesting course to see if your up to scratch there are others out there just do a google search but expect to pay £300 - £1000 for the courses.

Try to get a junior admin job and work your way up. ( not easy im still looking.... look at moving location )

You do not need certs to get a job but it sure does speed up the process. If your really good just hook up to there network from outside the door write a pentesting report and show them it. But expect to get in trouble if there not friendly because it is illegal pentesting without permission

Always remember to get permission before attacking websites / networks or servers. Its illegal without permission try to get it in writing to cover your back.

Oh and since i missed one "minor" detail eat breath and sleep unix (linux os) its a pentesters best friend. You will still need to know how to admin windows machines tho as you will connect through your os to theres and you will need to know where files are hidden etc.

Artarka wrote:Right! I actually started myself out in web programming, learnt two language (not fluently tho) and more importantly, UNIX commands. Now, I got my interest in here for server security yet it looks like a totally new field for me. I failed to find some specific resources on this and I have no idea where to start. I wish someone in the community can provide me some resources or hint on how should I procceed (like making a website you need PHP, making a app need Java). Anyone can give me a kickstarter please? (maybe tools and stuffs, best with tutorials of course)

in my signature is my website. I have written two articles there on LFI and the one talking about how to protect yourself from LFI sounds right up your ally. Here is the link to said article.http://lawofcode.com/article.php?id=4 Basically make sure your php settings restrict users, that you do audits of the code whenever possible, and also make sure that each users' files are only writable by root and themselves no anyone else. That's just basic stuff. Make sure that you know how to code in the languages you are auditing and if you see that someone is using something that compromises your server that you contact them.

I've always put server security and pen-testing in two different categories, from which Server Security is by far the harder category. As a hacker/pen-tester, you have the opportunity to throw a lot of things at your target, many of which are already made and boxed in a handy little (pricey for the good stuff) package. You only have to be right once to find an exploit. As a server administrator, trying to secure your server, you have to be right all the time and you have to be psychic (know what's coming).

There is literally too much data on server security it's going to all depend on what server you are securing... challenges for IIS Webserver vs. Apache vs. Node yada yada... just google search "best practices for ________" insert server type. Start with best practices, then move into more explicit stuff like firewalls, monitoring, backups, etc.. just my 2 cents